Homenet Working Group                                           S. Barth
Internet-Draft
Intended status: Standards Track                        October 14, 2014
Expires: April 17, 2015


                  HNCP - Security and Trust Management
               draft-barth-homenet-hncp-security-trust-01

Abstract

   This document describes threats and a security and trust bootstrap
   mechanism for the Home Networking Control Protocol (HNCP).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 17, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






Barth                    Expires April 17, 2015                 [Page 1]


Internet-Draft    HNCP - Security and Trust Management      October 2014


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements language . . . . . . . . . . . . . . . . . . . .   2
   3.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Border Determination  . . . . . . . . . . . . . . . . . . . .   3
   5.  HNCP Payload Security . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Isolated router-to-router links . . . . . . . . . . . . .   4
     5.2.  Authentication and Encryption of HNCP-traffic . . . . . .   4
   6.  Trust Management for Authentication and Encryption  . . . . .   4
     6.1.  Pre-shared secret based trust . . . . . . . . . . . . . .   4
     6.2.  PKI-based trust . . . . . . . . . . . . . . . . . . . . .   5
     6.3.  Certificate-based trust consensus . . . . . . . . . . . .   5
       6.3.1.  Trust Verdicts  . . . . . . . . . . . . . . . . . . .   5
       6.3.2.  Trust Cache . . . . . . . . . . . . . . . . . . . . .   6
       6.3.3.  Announcement of Verdicts  . . . . . . . . . . . . . .   6
       6.3.4.  Bootstrap Ceremonies  . . . . . . . . . . . . . . . .   7
   7.  Other homenet protocols . . . . . . . . . . . . . . . . . . .   8
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
     8.1.  Revocation of Trust . . . . . . . . . . . . . . . . . . .   9
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     10.1.  Normative references . . . . . . . . . . . . . . . . . .  10
     10.2.  Informative references . . . . . . . . . . . . . . . . .  10
   Appendix A.  Draft source . . . . . . . . . . . . . . . . . . . .  11
   Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .  11
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   HNCP is designed to make home networks self-configuring, requiring as
   little user intervention as possible.  However this zero-
   configuration goal usually conflicts with security goals and
   introduces a number of threats.

   This document describes imminent threats and different security and
   trust management mechanisms to mitigate them.

2.  Requirements language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].








Barth                    Expires April 17, 2015                 [Page 2]


Internet-Draft    HNCP - Security and Trust Management      October 2014


3.  Scope

   This draft is based on HNCP as described in [I-D.ietf-homenet-hncp]
   and the additional threats it introduces.  Many of these already
   exist in a similar form in current single-link home networks due to
   the usually unauthenticated use of protocols like NDP [RFC4861] or
   DHCPv6 [RFC3315].  This document intentionally does not cover these
   and other Homenet-related threats not explicitly introduced by HNCP.

   HNCP is a generic state synchronization mechanism carrying
   information with varying threat potential.  This draft will mainly
   consider the currently specified payloads:

      Network topology information such as homenet routers and their
      adjacent links

      Address assignment information such as delegated and assigned
      prefixes for individual links

      Naming and service discovery information such as auto-generated or
      customized names for individual links and routers

      IGP capabilities and preferences of individual routers

4.  Border Determination

   In general an HNCP-router determines the internal or external state
   on a per-link scale and creates a firewall-perimeter and allows HNCP-
   and IGP-traffic based on the individual results.  These are provided
   by either automatic border discovery or a predefined configuration
   indicated by e.g. the link-type, a physically dedicated (labeled)
   port or the administrator.

   Threats concerning automatic border discovery cannot be mitigated by
   encrypting or authenticating HNCP-traffic itself since external
   routers do not participate in the protocol and often cannot be
   authenticated by other means.  These threats include propagation of
   forged uplinks in the homenet in order to e.g. redirect traffic
   destined to external locations and forged internality by external
   routers to e.g. circumvent the perimeter firewall.

   It is therefore imperative to either secure individual links on the
   physical or link-layer or preconfigure the adjacent interfaces of
   HNCP-routers to an adequate fixed-category in order to secure the
   homenet border.  Depending on the security of the external link
   eavesdropping, man-in-the-middle and similar attacks on external
   traffic can still happen between a homenet border-router and the ISP,
   however these cannot be mitigated from inside the homenet.



Barth                    Expires April 17, 2015                 [Page 3]


Internet-Draft    HNCP - Security and Trust Management      October 2014


5.  HNCP Payload Security

   Once the homenet border has been established there are several ways
   to secure HNCP against internal threats like manipulation or
   eavesdropping by compromised devices on a link which is enabled for
   HNCP-traffic.  If left unsecured attackers may cause arbitrary
   spoofing or denial of service attacks on HNCP-services such as
   address assignment or service discovery.  Furthermore they may
   manipulate routing or external connection information in order to
   perform eavesdropping or man-in-the-middle attacks on outbound
   traffic.  The following security mechanisms are defined to mitigate
   these threats:

5.1.  Isolated router-to-router links

   Given that links containing HNCP routers can be sufficiently secured
   or isolated it is possible to run HNCP in a secure manner without
   using any form of authentication or encryption.  Detailed interface
   categories like "leaf" or "guest" can be used to integrate not fully
   trusted devices to various degrees into the homenet by not exposing
   them to HNCP and IGP traffic or by using firewall rules to prevent
   them from reaching homenet-internal resources.

5.2.  Authentication and Encryption of HNCP-traffic

   The end-to-end mechanism DTLS [RFC6347] is used to authenticate and
   encrypt all HNCP unicast-traffic in order to protect its potentially
   sensitive payload.  Methods for establishing and managing trust for
   this mechanism are described in the following section.

   HNCP also uses multicast signaling to announce changes of HNCP
   information but will not send any actual payload over this channel.
   An attacker may learn hash-values of HNCP-information and may be able
   to trigger unicast synchronization attempts between routers on the
   local link this way.  An HNCP-router should therefore limit its
   unicast synchronizations attempts to avoid a multicast-induced
   denial-of-service.

6.  Trust Management for Authentication and Encryption

6.1.  Pre-shared secret based trust

   A PSK-based trust model is a simple security management mechanism
   that allows an administrator to deploy devices to an existing network
   by configuring them with a pre-defined key, similar to the
   configuration of an administrator password or WPA-key.  Although
   limited in nature it is useful to provide a user-friendly security
   mechanism for smaller homenets.



Barth                    Expires April 17, 2015                 [Page 4]


Internet-Draft    HNCP - Security and Trust Management      October 2014


6.2.  PKI-based trust

   A PKI-based trust-model enables more advanced management capabilities
   at the cost of increased complexity and bootstrapping effort.  It
   however allows trust to be managed in a centralized manner and is
   therefore useful for larger networks with a need for an authoritative
   trust management.

6.3.  Certificate-based trust consensus

   The certificate-based consensus model is designed to be a compromise
   between trust management effort and flexibility.  It is based on
   X.509-certificates and allows each connected device to give a verdict
   on any other certificate and a consensus is found to determine
   whether a device using this certificate or any certificate signed by
   it is to be trusted.

6.3.1.  Trust Verdicts

   Trust Verdicts are statements of HNCP-devices about the
   trustworthiness of X.509-certificates.  There are 5 possible verdicts
   in order of ascending priority:

      0 Neutral: no verdict exists but the homenet should find one

      1 Cached Trust: the last known effective verdict was Configured or
      Cached Trust

      2 Cached Distrust: the last known effective verdict was Configured
      or Cached Distrust

      3 Configured Trust: trustworthy based upon an external ceremony or
      configuration

      4 Configured Distrust: not trustworthy based upon an external
      ceremony or configuration

   Verdicts are differentiated in 3 groups:

      Configured verdicts are used to announce explicit verdicts a
      device has based on any external trust bootstrap or predefined
      relation a device has formed with a given certificate.

      Cached verdicts are used to retain the last known trust state in
      case all devices having configured verdicts about a given
      certificate have been disconnected or turned off.





Barth                    Expires April 17, 2015                 [Page 5]


Internet-Draft    HNCP - Security and Trust Management      October 2014


      The Neutral verdict is used to announce a new device intending to
      join the homenet so a final verdict for it can be found.

   The current effective trust verdict for any certificate is defined as
   the one with the highest priority from all verdicts announced for
   said certificate at the time.  A device MUST be trusted for
   participating in the homenet if and only if the current effective
   verdict for its own certificate or any one in its certificate
   hierarchy is (Cached or Configured) Trust and none of the
   certificates in its hierarchy have an effective verdict of (Cached or
   Configured) Distrust.  In case a device has a configured verdict
   which is different from the current effective verdict for a
   certificate the current effective verdict takes precedence in
   deciding trustworthiness however the device still retains its
   configured verdict in its configuration.

6.3.2.  Trust Cache

   Each device maintains a trust cache containing the current effective
   trust verdicts for all certificates currently announced in the
   homenet.  This cache is used as a backup of the last known state in
   case there is no device announcing an configured verdict for a known
   certificate.  It SHOULD be saved to a non-volatile memory at
   reasonable time intervals to survive a reboot or power outage.

   Every time a device (re)joins the homenet or detects the change of an
   effective trust verdict for any certificate it will synchronize its
   cache and store the new effective verdict overwriting any previously
   cached verdicts.  Configured verdicts are stored in the cache as
   their respective cached counterparts, Neutral verdicts are never
   stored.

6.3.3.  Announcement of Verdicts

   A device always announces any configured trust verdicts it has
   established by itself.  It also announces cached trust verdicts it
   has stored in its trust cache if one of the following conditions
   applies:

      The stored verdict is Cached Trust and the current effective
      verdict is Neutral or does not exist.

      The stored verdict is Cached Distrust and the current effective
      verdict is Cached Trust.

   A device rechecks these conditions whenever it detects changes of
   announced trust verdicts anywhere in the network.




Barth                    Expires April 17, 2015                 [Page 6]


Internet-Draft    HNCP - Security and Trust Management      October 2014


   Upon encountering a device with a hierarchy of certificates for which
   there is no effective verdict a router announces Neutral verdicts for
   all certificates found in the hierarchy until an effective verdict
   different from Neutral can be found for any of the certificates or a
   reasonable amount of time (10 minutes is suggested) with no reaction
   and no further connection attempts has passed.  Such verdicts SHOULD
   also be limited in rate and number to prevent denial-of-service
   attacks.

   Trust verdicts are announced using Trust-Verdict TLVs:

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type: Trust-Verdict (20)    |        Length: 41-104         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Verdict    |                 (reserved)                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                                                               |
   |                                                               |
   |                      SHA-256 Fingerprint                      |
   |                                                               |
   |                                                               |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Common Name                          |

      Verdict represents the numerical index of the verdict.

      (reserved) is reserved for future additions and MUST be set to 0
      when creating TLVs and ignored when parsing them.

      SHA-256 [RFC6234] Fingerprint contains the fingerprint of the
      certificate.

      Common Name contains the variable-length (1-64 bytes) common name
      of the certificate.

6.3.4.  Bootstrap Ceremonies

   The following methods are defined to establish trust relationships
   between HNCP-routers and router certificates.  Trust establishment is
   a two-way process in which the existing homenet must trust the newly
   added device and the newly added device must trust at least one of
   its neighboring routers.  It is therefore necessary that both the
   newly added device and an already trusted device perform such a



Barth                    Expires April 17, 2015                 [Page 7]


Internet-Draft    HNCP - Security and Trust Management      October 2014


   ceremony to successfully introduce a device into a homenet.  In all
   cases an administrator MUST be provided with external means to
   identify the device belonging to a certificate based on its
   fingerprint and a meaningful common name.

6.3.4.1.  Trust by Identification

   A device implementing certificate-based trust MUST provide an
   interface to retrieve the current set of effective trust verdicts,
   fingerprints and names of all certificates currently known and set
   configured trust verdicts to be announced.  Alternatively it MAY
   provide a companion HNCP-device or application with these
   capabilities with which it has a pre-established trust relationship.

6.3.4.2.  Preconfigured Trust

   A device MAY be preconfigured to trust a certain set of device or CA
   certificates.  However such trust relationships MUST NOT result in
   unwanted or unrelated trust for devices not intended to be run inside
   the same network (e.g. all other devices of that manufacturer).

6.3.4.3.  Trust on Button Press

   A device MAY provide a physical or virtual interface to put one or
   more of its internal network interfaces temporarily into a mode in
   which it trusts the certificate of the first HNCP-device it can
   successfully establish a connection with.

6.3.4.4.  Trust on First Use

   A device which is not associated with any other homenet-router MAY
   trust the certificate of the first HNCP-device it can successfully
   establish a connection with.  This method MUST NOT be used when the
   device has already associated with any other HNCP-router.

7.  Other homenet protocols

   An IGP is usually run alongside HNCP in a homenet therefore the
   individual security aspects of the respective protocols must be
   considered.  It can however be summarized that current candidate
   protocols (namely Babel, OSPFv3, RIP and IS-IS) provide - to a
   certain extent - similar security mechanisms.  All mentioned
   protocols do not support encryption and only support authentication
   based on pre-shared keys natively.  This influences the effectiveness
   of any encryption-based security mechanism deployed by HNCP as
   homenet routing information is usually not confidential.





Barth                    Expires April 17, 2015                 [Page 8]


Internet-Draft    HNCP - Security and Trust Management      October 2014


   As a PSK is required to authenticate IGP-traffic and potential other
   protocols, HNCP is used to create and manage it.  The key length is
   defined to be 32 Bytes to be reasonably secure.  The following rules
   determine how a key is managed and used:

      If no Managed-PSK-TLV is currently being announced, an HNCP-router
      creates one with a random key and adds it to its node-data.

      In case multiple routers announce such a TLV at the same time, all
      but the one with the highest router-ID stop advertising it and
      adopt the remaining one.

      The router currently advertising the Managed-PSK-TLV must generate
      and advertise a new random one whenever the HNCP security
      mechanism stops trusting one or more trusted devices - i.e.  HNCP
      is secured with a PSK itself and it was changed or a certificate
      has changed from trusted to distrusted.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type: Managed-PSK (21)     |          Length: 36           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                                                               |
   |                                                               |
   |                           Random PSK                          |
   |                                                               |
   |                                                               |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   PSKs for individual protocols are derived from the random PSK through
   the use of HMAC-SHA256 [RFC6234] with a pre-defined per-protocol
   HMAC-key in ASCII-format.  The following HMAC-keys are currently
   defined to derive PSKs for the respective protocols:

      "ROUTING": to be used for IGPs.  If a Random PSK exists then the
      derived PSK MUST be used to secure the chosen IGP.

8.  Security Considerations

8.1.  Revocation of Trust

   Revoking trust in a protocol intended for bootstrapping is non-
   trivial, since neither an accurate clock nor network connectivity to




Barth                    Expires April 17, 2015                 [Page 9]


Internet-Draft    HNCP - Security and Trust Management      October 2014


   retrieve authenticated revocation information can be assumed in all
   situations.

   The Certificate-based trust consensus mechanism defined in this
   document allows for a consenting revocation, however in case of a
   compromised device the trust cache may be poisoned before the actual
   revocation happens allowing the distrusted device to rejoin the
   network using a different identity.  Stopping such an attack might
   require physical intervention and flushing of the trust caches.
   However such an attack is often times more easily detectable than
   threats discussed earlier in this document such as a silent
   manipulation of routing information and related man-in-the-middle
   attacks.

9.  IANA Considerations

   IANA should add HNCP TLV types with the following contents:

   20: Trust-Verdict

   21: Managed-PSK

10.  References

10.1.  Normative references

   [I-D.ietf-homenet-hncp]
              Stenberg, M. and S. Barth, "Home Networking Control
              Protocol", draft-ietf-homenet-hncp-01 (work in progress),
              June 2014.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

10.2.  Informative references

   [RFC6234]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.

   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
              and M. Carney, "Dynamic Host Configuration Protocol for
              IPv6 (DHCPv6)", RFC 3315, July 2003.






Barth                    Expires April 17, 2015                [Page 10]


Internet-Draft    HNCP - Security and Trust Management      October 2014


   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

Appendix A.  Draft source

   As usual, this draft is available at https://github.com/fingon/ietf-
   drafts/ in source format (with nice Makefile too).  Feel free to send
   comments and/or pull requests if and when you have changes to it!

Appendix B.  Acknowledgements

   Thanks to Markus Stenberg, Pierre Pfister and Mark Baugher for their
   contributions to the draft and Xavier Bonnetain for ideas on a web of
   trust and PSK-management in I-D.bonnetain-hncp-security-00.

Author's Address

   Steven Barth

   Email: cyrus@openwrt.org






























Barth                    Expires April 17, 2015                [Page 11]